Why DVWA?
Damn Vulnerable Web App is exactly what it sounds like. It’s a useful way to learn about some of the most common security problems that Web application developers face. While DVWA uses some pretty unhip technologies (PHP5 and MySQL), most of the vulnerabilities apply to all sorts of Web apps.
The creators of DVWA recommend that you play with it in a VM sandbox. This can be done in a few ways:
- Use Vagrant and Scotch-Box (see TL;DD at the end of this post)
- Install XAMPP into a vanilla VM
- Install from the DVWA LiveCD and then update DVWA itself to the newest version (1.9 as of this writing)
- Install DVWA in a Kali Linux VM
I’ll be outlining solution #4.
Why Kali?
Kali Linux is a Debian-based distribution that comes with security and penetration testing tools like Burp Suite and Metasploit. This may be overkill for DVWA, but anyone looking at DVWA is probably interested in learning more about security anyway.
Another reason is that the kind people at Offensive Security have created pre-made VirtualBox and VMWare images of Kali, which saves us some time.
The process
What you’ll need
- VirtualBox installed
- The prebuilt VirtualBox image of Kali. I recommend downloading it via BitTorrent.
- DVWA itself (use the download link there for the latest version)
- Something that can decompress .7z files (7-Zip on Windows, The Unarchiver on a Mac, or p7zip in Linux)
Kali Setup
- Decompress the .7z with the VirtualBox image. This should yield a
.ova
file. - In VirtualBox Manager, go to
File -> Import Appliance...
and select the appropriate .ova file. You can just clickContinue
andImport
. The default settings should be fine. This part may take a few minutes. - Start the Kali VM and login as root. The default password for the VM is
toor
. - Open up a terminal window from the icon with a “$_” on the left of the screen.
- Create a new user.
useradd -m <username>
passwd <username>
to set a passwordusermod -a -G sudo <username>
to add the user to the sudo groupchsh -s /bin/bash <username>
to set the shell to bash (or another shell if you prefer)
- Logout as root, then login as the new user.
DVWA Installation
- Drag the
DVWA-1.9.zip
file onto your VM’s desktop (or just open IceWeasel and download it). - Open a terminal window and run the following:
sudo su
unzip /home/<your username from above>/Desktop/DVWA-1.9.zip -d /var/www/html/
cd /var/www/html
mv DVWA-1.9/ dvwa/
chmod -R 755 dvwa
service mysql start
mysql -u root -p
. This will ask you for a password which should be blank.create database dvwa;
exit
to get back to the shellnano dvwa/config/config.inc.php
and change the db_password to''
(empty).service apache2 start
You should now be able to open the browser (IceWeasel) and navigate to http://localhost/dvwa/setup.php.
Fixing some things
You’ll see that a few items on the setup checklist are red. This will keep us from being able to do all of the exercises included with DVWA.
- At the bottom, we see that a couple of folders need to be made writable by the web server. Let’s do:
chgrp www-data dvwa/hackable/uploads/
chmod g+w dvwa/hackable/uploads/
chgrp www-data dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
chmod g+w dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
- Install the php-gd image manipulation module for PHP5:
- a simple
apt-get install php5-gd
won’t work here. We’ll need to add a repository first: - while still in
su
mode,nano /etc/apt/sources.list
- at the very end of the file, add the line
deb http://repo.kali.org/kali kali-rolling main non-free contrib
and save the file apt-get update
apt-get install php5-gd
- a simple
- Enable
allow_url_include
:nano /etc/php5/apache2/php.ini
- change the
allow_url_include
fromOff
toOn
- You can create a reCAPCHA key and add it to config.inc.php if you want.
service apache2 restart
to make the configuration changes live.
Now reload the setup.php page. Everything should be green and we can hit the “Create / Reset Database” button at the bottom.
If you want to work from outside the VM:
Everything should be working now, but we may prefer to use our host OS to do our actual work with DVWA. We’ll need to change a network setting and install an SSH server.
Switch to Bridged Adapter mode
VirtualBox probably defaulted the guest OS’s network to NAT mode. This worked fine for our apt-gets and such, but won’t let us access the Apache web server. In our VM’s machine -> preferences menu, go to the Network tab and set Attached to:
to Bridged Adapter
. It may take a moment for the changes to take place. See the VirtualBox manual for more information on the different networking modes.
Setup SSH
You can follow this guide by a guy who calls himself Dr.Chaos to get SSH working (you’ll need to run the commands as superuser). You can skip steps 4 and 5. Since we already made a user in the superuser group, we can just log in as that user instead of as root.
Access to DVWA on your Host OS’s browser
In the VM’s terminal, type hostname -I
to get the IP address. Point your browser to http://<kali-ip>/dvwa/
.
SSH into into Kali
If MacOS is your host OS, you can type ssh <username-we-created>@<kali-ip>
in the terminal to connect.
Setup a network share
Follow this guide on installing samba.
I added the following section to my /etc/samba/smb.conf
:
[dvwa]
comment = DVWA Folder
path = /var/www/html/dvwa
writeable = yes
browseable = yes
public = yes
read only = no
create mask = 0644
force create mode = 0755
valid users = <user-we-created>
Add the user we created in this guide when the guide above tells you to add a Samba user.
To be able to actually change the files through the Samba share, you’ll need to sudo chown -R <user-we-created> /var/www/html/dvwa
Now connect to smb://<user-we-created>@<kali-ip>/dvwa
in Finder/Explorer/Nautilus/etc.
You should be able to point your favorite editor to the share and make changes to the files. In OSX, it should be in the folder /Volumes/dvwa
. If your preferred editor is Sublime Text, you could run subl /Volumes/dvwa
.
All Set!
Now you can navigate to the login page at http://localhost(or-kali-ip)/dvwa/login.php. The default credentials are admin/password.
You can shut down the VM and save state to pick up where you left off.
NOTE: If you see a launch-bar in the VM but it otherwise seems unresponsive, try pressing Enter. The screen has auto-locked and you’ll have to re-enter your password.
Thanks to Linh Nguyen for some useful notes and input.
TL;DD:
If you don’t care about any of the tools that come with Kali, you can use Vagrant and Scotch-Box instead. Start out by following the get started guide on the Scotch-Box site.
- You will still need to edit DVWA’s
config/config.inc.php
to change the MySQL password toroot
. - You’ll also need to enable
allow_url_include
in the VM’setc/php5/apache2/php.ini
- From within your project’s folder:
vagrant ssh
sudo nano /etc/php5/apache2/php.ini
- Ctrl+W,
allow_url_include
, change it toOn
- Ctrl+X, then say [Y]es.
sudo service apache2 restart
exit
- From within your project’s folder: